Q & A on Impero Education Pro 
security fix 



As you are aware, on June 13th 2015 Impero was made aware that someone had illegally hacked our 
product, subsequently making this hack public rather than bringing it to our attention privately. We are 
very sorry that this has happened, and for any inconvenience or concern caused. Please be assured we 
are doing everything we can to resolve the situation as quickly as possible. Since sending out a hotfix 
that same week, we have been working on a long-term solution that will be released in August. 

We've had a few questions off the back of this news and wanted to address these in as much detail as 
we can. Here goes: 



What is the nature of the 
hack? 

If exploited, this hack could allow a network 
user to run unauthorised programs and 
interfere with the clients on a network. 
Effectively, the hack can be exploited to 
trick the Impero Server into thinking that 
commands are coming from an authenticated 
Impero Console. 

There are two aspects of the software which 
were compromised: 

1. The encryption mechanism between the 
Client and the Server. 

2. The Server configuration which is able to 
accept commands without first ensuring 
that the end user is an authorised 
console user. 

These issues will be addressed in the August 
release. 




How could the hack be 
exploited? 

This hack could only be exploited if basic 
network security does not exist and if the 
attacker is physically present, with local 
network access. An attacker could exploit 
our software to gain system-level access to 
computers on an Impero network only if one 
of the following 3 pre-conditions exist: 

1. The network has been configured to 
allow untrusted devices to connect 
(i.e. attacker brings in own device and 
connects to the network - this should 
already be locked down by the network 
administrators). 

2. External content in the form of 
executable code can be installed onto 
a machine on the network and run (i.e. 
attacker brings in the hack on a USB 
drive, or downloads it onto an already 
trusted machine and runs it. Impero 
itself can already prevent this from 
happening). 

3. Scripting tools such as php are locally 
present and accessible by users on 
trusted machines (i.e. attacker is a user 
on a trusted machine with access to tools 
which have not been locked down). 



What can schools do to stop 
this being exploited? 

We recommend that schools check and tighten 
their network security in the following ways to 
ensure this hack cannot be exploited: 

1. Upgrade your version of Impero to 
include our immediate hotfix. This will 
ensure that the hack as it was published 
cannot be used to affect your systems. 

2. Do not allow untrusted devices to 
connect to your network. 

3. Disable access to external media as 
appropriate to minimise risk of exploits 
being brought into the network. 

4. Make sure that external inbound 
connections to the Impero Server are 
blocked. 

5. Block scripting tools (such as php) across 
all users. 

6. Make sure that you have group policy 
security policies in place, based on 
best practices (i.e. software restriction 
policies). 

7. If you want to be extra secure, disable 
the Impero Client service on sensitive 
machines (SLT, HR & Finance). 

Is our data exposed? 

No, the published exploit does not expose any 
customer data. As previously mentioned, this 
hack could only be exploited if basic network 
security does not exist and if the attacker is 
physically present with local network access. 
Please refer to the security measures that can 
be taken above. 



What is Impero doing to 
ensure the long-term fix is 
secure? 

We immediately released a hotfix, as a short 
term measure to address the issue and since 
then we have been working closely with our 
customers and penetration testers to develop 
a solid long term solution. All schools will have 
the new version, including the long term fix, 
installed in time for the new school term. The 
revised security measures in this version will 
include: 

1. Secure server-side authentication of 
Impero clients connecting to server. 

2. A new secure encryption key generation 
and exchange mechanism. 

3. Secure server-side authentication 
of console users as a default setting 
(Impero Console users will now have to 
enter the console password to open the 
console). 

4. A secure protocol which ensures that 
requests to perform privileged or system 
functions will only be processed if the 
client has been authenticated as an 
Impero Console user. 

5. Better protection against reverse 
engineering of our executable code. 

6. An option to only allow trusted clients 
to join the Impero network. Unknown 
clients will be placed in a holding list 
which the network administrator must 
explicitly allow to connect. 

7. An Impero server option to disable older, 
insecure clients from connecting. 



How many customers have 
been affected? 

To date there have been no reports of any 
customers being affected by this. 
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What is Impero doing to 
ensure this doesn't happen 
again? 

We are fully committed to continually 
improving our software security. In light of 
the recent hack, we will be stepping up our 
game and, in addition to our own internal 
security checks, third party penetration tests 
and beta programme, we will be increasing 
the frequency of our independent code base 
audits. 
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Does the fact that you are 
taking legal action on the 
individual that brought this 
to your attention mean you 
don't appreciate this sort of 
feedback? 

As a responsible and engaging software house, 
Impero is fully open to working with customers 
and non-customers that wish to offer up 
improvement ideas or new feature requests. 
This is something we have always encouraged 
and will continue to do so. We frequently 
hold workshops and lunch time sessions to 
encourage such knowledge sharing. Anyone 
is free to call us directly at any time to discuss 
suggestions with us or attend these events. 



Should anyone wish to highlight security 
improvements directly we will make this 
a priority and engage accordingly, as we 
have done in the past. What we are not able 
to condone are irresponsible acts where 
individuals hack software and make this 
publicly available to others without engaging 
with the company in the first instance. This is 
highly irresponsible and is in no way "helpful" 
for our customers, who are our main concern. 

To confirm, we will not take legal action 
against people that identify security issues 
if ethical, private reporting practices are 
followed, so please don't be afraid to get in 
touch. In this instance these practices were not 
followed. 
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